Numerous Canadian media outposts are reporting on the loss of student loan information by Human Resources and Skills Development Canada. It's being labeled as a "new" data breach by the government but let's be honest, the only thing new about it is the press release. It's part of the same old story, a continuance of an affliction that has been ongoing due to the lack of data security software like AlertBoot laptop encryption SaaS.

583,000 Canadians Affected

According to theglobeandmail.com, the latest fiasco on the part of Human Resources and Skills Development Canada (HRSD) was reported this past Friday. HRSD alerted in a press release this past Friday that a storage device containing data on 583,000 Canada Student Loans Program borrowers from 2000 to 2006 was lost.

Depending on which article you read, the device is described as a "portable hard drive" or a "USB key." Technically, the latter would be included under the former, but generally a USB key is in a category by itself. Regardless, either would have been protected with the use of AlertBoot Mobile Security, which not only encrypts a laptop computer's hard drive, but also automatically encrypts any external data storage devices that connect to a protected drive (and, in order not to hamstring a USB key's utility, it is shareable between AlertBoot-encrypted computers).

Of course, it's not really the medium that's important, but the data contained in that medium: "student names, social insurance numbers, dates of birth, contact information and loan balances of borrowers" were present, according to the theglobeandmail.com, but no banking or medical information. People in Quebec, Nunavut, and the Northwest Territories were not affected because these territories manage their own student loan programs.

Interestingly enough, Quebec is not entirely in the clear: personal contact information of 250 department employees working out of a Gatineau, Quebec office were also affected by the data breach.

A toll-free number has been set-up at 866-885-1866 (416-572-1113 outside of North America) for inquiries by affected individuals.

Of course, if the callers are as mad as these people, perhaps those fielding calls won't be answering inquiries as much as taking an earful of complaints. (To which, I note, the people answering the phones at these two numbers are probably temps, so go easy on them).

The loss of the hard drive from an office in Gatineau, Que., came to light as the department looked into another breach — a missing USB key containing the personal information of more than 5,000 Canadians.

The privacy commissioner's office has already begun a probe of that incident, which was publicized last month.

Needless to say, the privacy commissioner is extending her investigation into this one as well. As she should, as this is being labeled Canada's largest data breach to date.

But, as I already pointed out, can you honestly call this a second data breach? Wouldn't it just be a symptom of what the public already knew? Namely, that HRSD doesn't have the proper solution to prevent such confidentiality breaches from occurring?

I'm not even sure what to make of the following quote:

"It's definitely unfortunate," said Adam Awad, national chairman of the Canadian Federation of Students, which received a briefing on the loss.

"It highlights how easy it is for information in today's age to be misplaced, to be misappropriated, to be stolen — if that's what the case was."

Yes, it is unfortunate.... It's also fully preventable. And, it's not new. It' not as if Canada has been immune to the problem of information security breaches. Canada's own Office of the Privacy Commissioner has been blowing the horn on this one, year after year.

Not to continue harping the obvious, but a disk encryption solution that allows USB sharing between protected computers would have nipped this in the bud. Not to mention other instances of data breaches outside of an organization's control, such as burglaries (at home and at work).

What this case really goes on to show is not how easy it is to lose data, but how an organization's data security problems are never over as long as the correct policies, training, and technical solutions are not in place.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.